2019 ~ Security Garden

Tuesday, December 31, 2019

Happy New Year!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, December 10, 2019

Microsoft December 2019 Security Updates Released

The Microsoft December security updates have been released and consist of 36 CVEs. Of these 36 CVEs, 7 are rated Critical, 28 are rated Important and 1 moderate in severity. None of the patches released this month are listed as publicly known, but one is listed as being actively exploited at the time of release.

The updates apply to the following: Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, Visual Studio and Skype for Business.

Reminder: After 1/14/2020 Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer getting security updates.

Known Issues: The following KBs contain information about known issues with the security updates. For a complete list of security update KBs, please see 20191210.

KB Article	Applies To
4484190	Excel 2013
4484179	Excel 2016
4461590	PowerPoint 2013
4484190	PowerPoint 2016
4484190	Word 2013
4484190	Word 2016
4530681	Windows 10
4530684	Windows 10, version 1803, Windows Server version 1803, Windows 10, version 1809, Windows Server version 1809
4530689	Windows 10, version 1607, Windows Server 2016
4530691	Windows Server 2012 (Monthly Rollup)
4530698	Windows Server 2012 (Security-only update)
4530702	Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4530714	Windows 10, version 1709
4530715	Windows 10, version 1809, Windows Server 2019
4530717	Windows 10, version 1803, Windows Server version 1803
4530730	Windows 8.1, Windows Server 2012 R2 (Security-only update)
4530734	Windows 7 SP1, Windows Server 2008 R2 SP1 (Monthly Rollup)

Recommended Reading:

See Dustin Childs review and analysis in Zero Day Initiative — The December 2019 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.

MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. Note: Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a /N parameter [for "detect only" mode].

Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)

Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.

For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.

Windows Update History:

References

Security Update FAQ

Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe FLash Player Update Released

Adobe released Version 32.0.0.303 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update contains assorted functional fixes.

Release date: December 10, 2019
Vulnerability identifier: None
Platform: Windows, Macintosh, Linux and Chrome OS

Update:

With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
Windows 7 and earlier: Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier:

Microsoft Edge and Internet Explorer 11: Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.
Google Chrome: Adobe Flash Player will be automatically updated to the latest Google Chrome version.
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
Adobe AIR: Adobe - Adobe AIR

*Important Note: Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive. If you use the download center, uncheck any unnecessary extras that you do not want. They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Acrobat Reader DC Security Updates Released

Adobe has released security updates for Adobe Acrobat and Reader addressing critical security updates. The update additionally includes bug fixes.

Release date: December 10, 2019
Vulnerability identifier: APSB19-55
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 2019.02.2.20058.

Update checks can be manually activated by choosing Help/Check for Updates.

Reader DC and other versions are available here: https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

Acrobat DC for Windows is available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

PSIRT

Release Notes

Security Bulletin

System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.8.0 Released with Security Updates

Pale Moon has been updated to version 28.8.0 with security updates*. This is a major development release that includes many improvements as well as some landmark features added/enabled. In addition, many libraries have been updated for added stability and performance.

*A fix identified as "DiD" ("Defense-in-Depth") means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

From the Release Notes:

New features:

Added support for modern Solaris operating systems like Illumos (thanks Athenian200!).
Implemented position:sticky for table parts - You can now use CSS to e.g. stick table headers so they don't scroll off the screen!
Enabled basic implementation of module type scripting. While not fully spec compliant (yet), this will fix the few web compatibility issues with sites that rely on this feature without fallback (e.g. the Chromium bugtracker).
Implemented Promise.prototype.finally() (ES2018).
Implemented Regular Expression lookbehind (ES2018).
Implemented Regular Expression /s flag (dotAll support) (ES2018).
Implemented String.prototype.matchAll (regex) (ES2020).
Added Ekoru to the list of default search engines. This is a Bing-backed search engine that donates the majority of its revenue to various charities that support the planet and animals. An environment-supporting alternative to Ecosia if you don't want to support Google in the process.

Changes/fixes:

Changed the way tables are rendered to fix a number of spec compliance issues and allow relative positioning of table parts.
Now building against the Windows 10 SDK 10.0.17763.132 for increased compatibility with Windows 10 and improved Spectre mitigation.
Removed the unused DiskSpaceWatcher component.
Updated cairo code.
Updated SQLite to 3.30.1.
Updated the Brotli library to 1.0.7.
Updated the woff2 library to 1.0.2.
Updated the OpenType Sanitizer to 8.0.0.
Updated the Javascript math library for precision and performance fixes.
Updated the embedded Emoji font to Mozilla's COLR-mapped twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
Improved CSS grid rendering.
Changed packaging for archives to use 7z/xz instead of zip/bz2.
Made the second argument of (DOM/CSS) insertRule() optional for (Chrome) web compatibility.
Removed the non-standard object.prototype.watch()/unwatch() functions. Please note that this may affect some extensions; those will need to be updated to no longer use these non-standard functions.
Fixed the status bar module to work around an issue with relying on watch()/unwatch().
Fixed a build failure in the libcubeb sndio module.
Fixed a small oversight in the release branch that would potentially still mark jnlp files as executable.
Fixed the certificate retrieval logic in the certificate exception dialog.
Fixed an issue with add-ons potentially getting confused during add-on updates due to cached scripts.
Fixed a crash due to unnecessary reparenting calls in layout.
Reinstated the mentioning of the number of accelerated/total windows in Troubleshooting Information, for completeness.
Moved the embedded font for Emoji from application to platform so all UXP applications can easily benefit from it (thanks Tobin!).
Cleaned up the jemalloc code: Removed dead/unused code, removed conditionals around "always on" code, and made the allocator VLA-free.
Fixed an oversight in the release branch still marking "jnlp" (Java Web Start) as executable.

Security-related fixes:

Removed the silent fallback to insecure install locations on Windows.
Pale Moon will no longer by default install into unprotected program locations (this was a regression in v28).
If your operating system account does not have the necessary privileges, you need to manually select an accessible folder to install into. This is important to prevent malware from modifying installed programs in well-known but otherwise unprotected installation locations.
Added a preference for, and disabled, the confirmation prompt for URL authentication (prevents evil traps).
Disabled the use of HPKP by default due to the inherent risks involved with this feature. A preference was added to completely disable header processing, and using preloaded pins is effectively disabled. Please note that this is automatically disabled by default for everyone, regardless of your previous setting for this feature, and it is strongly recommended you keep this feature disabled. HPKP will eventually be removed (overall Internet concensus).
Fixed a potential issue when interacting with plugins. (DiD)
Fixed a potential crash scenario when reading PAC configuration. (DiD)
Fixed a potential issue with text selection painting. (DiD)
Fixed an issue with element references not being properly updated. (DiD)
Fixed an issue with incorrect saving of web pages as text. (DiD)
Fixed a potential issue with clipboard handling. (DiD)
Fixed a potential issue with attaching the debugger to web workers. (DiD)
Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745.
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 8 DiD, 16 not applicable.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Click About Pale Moon and Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, December 03, 2019

Mozilla Firefox Version 71.0 Released with Security Updates

Mozilla sent Firefox Version 71.0 to the release channel today. The update included thirteen (13) security updates of which six (6) are high and five (5) are rated moderate.

Also released was Firefox ESR Version 68.3.

Note: The following extensions have been removed from the Mozilla addon repository due to concerns that they were tracking a user's activity as they are browsed the web: Avast Online Security, Avast SafePrice, AVG Online Security, and AVG SafePrice. Additional information is available at Bleeping Computer.

High

Moderate

New

Improvements to Lockwise, our integrated password manager:
- Firefox now recognizes subdomains and will autofill domain logins from Lockwise
- Integrated breach alerts from Firefox Monitor are now available to users with screen readers
More information about Enhanced Tracking Protection in action:
- Notifications when Firefox blocks cryptominers
- A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.
Native MP3 decoding on Windows, Linux, and macOS

Changed

Configuration page (about:config) reimplemented in HTML
Firefox will now ship with Catalan (Valencian) (ca-valencia), Tagalog (tl), and Triqui (trs)

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, November 14, 2019

Adobe Acrobat DC and Acrobat Reader DC Bugfix Update Released

Adobe has released Acrobat DC and Acrobat Reader DC version 19.021.20056, an optional hotfix patch that addresses bug fixes. Information regarding known issues not covered at the time of release is available here. The bug fixes include the following:

Performance

4286964: Acrobat fails to close and consumes CPU if Personalize registry is not present on the system
4287107: Acrobat becomes unresponsive while it populates recent list if it contains items opened through a mapped network drive

Export PDF

4283536: Unable to Export Pdf and Save to Document Cloud

Services Integration

4287368: Application crashes if tDIText entry is missing in registry for Recent Files

Combine

4287003: Unable to Combine Multiple PNG files in certain scenarios

Accessiblity

4286741: Mac OS Catalina: There was a raise without a handler error after opening PDF file when OnScreen keyboard is open

Web Capture

4287029: Extra HTML content being added to PDF when converting selection in IE’s context menu

Preflight

4287186: Japanese characters and symbols like “()” appears incorrectly in Preflight report
4287232: Putting Second digital signature breaks PDF/A conformance
4287176: Size of Preflight report becomes huge for JPN/KOR/Chinese locale after updating

Update or Complete Download

Reader DC and Acrobat DC were updated to version 19.021.20056.

Update checks can be manually activated by choosing Help/Check for Updates.

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

PSIRT

Release Notes

Security Bulletin

System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, November 13, 2019

Adobe Flash Player Update Released

Adobe released Version 32.0.0.293 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update contains assorted functional fixes.

Release date: November 13, 2019
Vulnerability identifier: None
Platform: Windows, Macintosh, Linux and Chrome OS

Note: The embedded ActiveX Flash for Windows 8.1/10 remains at 32.0.0.255

Update:

With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
Windows 7 and earlier: Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier:

Microsoft Edge and Internet Explorer 11: Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.
Google Chrome: Adobe Flash Player will be automatically updated to the latest Google Chrome version.
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
Adobe AIR: Adobe - Adobe AIR

*Important Note: Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive. If you use the download center, uncheck any unnecessary extras that you do not want. They are not needed for the Flash Player update.

Verify Installation

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 12, 2019

Microsoft November 2019 Security Updates

The Microsoft November security updates have been released and consist of 74 CVEs and one new Advisory. Of these 74 CVEs, 13 are rated Critical and 16 are rated Important. The advisory is listed as publicly known and one CVE is listed under active attack.

The apply to the following: Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio.

Note: Adobe has not issued a Flash Player update.

Also of note, the Windows 10 November 2019 update has been released. See How to get the Windows 10 November 2019 Update | Windows Experience Blog.

Known Issues: The following KBs contain information about known issues with the security updates. For a complete list of security update KBs, please see 20191112

KB Article	Applies To
4484113	Microsoft Exchange Server
4523171	Microsoft Exchange Server
4523205	Windows 10, version 1809, Windows Server 2019
4524570	Windows 10, version 1903, Windows Server version 1903
4525232	Windows 10
4525236	Windows 10, version 1607, Windows Server 2016
4525237	Windows 10, version 1803, Windows Server version 1803
4525241	Windows 10, version 1709
4525243	Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4525246	Windows Server 2012 (Monthly Rollup)
4525250	Windows 8.1, Windows Server 2012 R2 (Security-only update)
4525253	Windows Server 2012 (Security-only update)

Recommended Reading:

See Dustin Childs review and analysis in Zero Day Initiative — The November 2019 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.

For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.

Windows Update History:

References

Security Update FAQ

Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, November 11, 2019

Lest We Forget

The "eleventh hour of the eleventh day of the eleventh month" of 1918. Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country. It is also a perfect time to thank the Veterans in whatever country you live in.

As in previous years, I am republishing a portion of my friend Canuk's last tribute and, once again, adding a special thank you to my friends Mitch the "Phantom Phixer" and Larry, "Ghost".

The comment Canuk posted provides one example of why he was a special person:

"I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour."

LEST WE FORGET

We Shall Keep the Faith by Moira Michael, November 1918 Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, November 04, 2019

Malwarebytes 4.0 for Windows Released

Malwarebytes Version 4.0 has been released. The update includes the new Malwarebytes Katana Engine which has new detection technologies to provide greater security. In addition, the user interface has been designed:

https://content.invisioncic.com/Mmalware/monthly_2019_11/916200549_MB4Dashboard.PNG.549b7f8ad6a1f4e04843432795efc3c9.PNG

Following are the key features from the Announcement:

Improved zero-hour detection – pinpoints new threats as they arise and before they can wreak havoc on your device
Expanded malware detection – blocks even more malware for improved protection
Signature-less behavioral detection – identifies the latest variants of dangerous malware families that attempt to evade traditional signatures through runtime packing, obfuscation and encryption, offering instant protection against new threats that traditional AV has a hard time detecting
Faster threat definition process – streamlines the publishing of new definitions, reducing the time it takes to protect you from new threats
Revamped user interface – Completely redesigned user interface that is intuitive, more informative and simple to use
Threat statistics – allows you to see what Malwarebytes is doing for you in real-time and get a first-hand view of what threats are coming at you (and being blocked)
Cybersecurity news – dynamic feed keeps you informed of the latest threats and other security topics
Easier updates – more automation means you receive the latest protection with less effort

See the referenced Announcement for Known Issues, FAQs and other information.

System Requirements: Malwarebytes Version 4.0 no longer works on Windows XP or Windows Vista. However, Malwarebytes 3.x, will be supported for the foreseeable future.

Windows 10 Note: Although Malwarebytes is an antivirus software, if you use another program as your antivirus (Windows Defender, McAfee, etc.) as your antivirus, it is necessary to make a change in Malwarebytes. Go to Settings > Windows Action Center, change the setting to "Never register Malwarebytes in the Action Center". Malwarebytes 4.0 will continue to run with the installed antivirus in compatibility mode.

Update:

Malwarebytes 4.0 can be installed over the top of your exist Malwarebytes programs. If you do not want to wait for the upgrade to be offered, you can download and run the installer from https://www.malwarebytes.com/ (direct download link here) Malwarebytes 4.0 will automatically remove the old Anti-Malware, Anti-Exploit and Anti-Ransomware and upgrade them all to Malwarebytes 4.0.

References:

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, October 31, 2019

Mozilla Firefox Version 70.0.1 Released

Mozilla sent Firefox Version 70.0.1 to the release channel today. The update included several bug fixes, including one that resulted in some sites failing to load.

As of the time of this posting there was no indication of an update for Firefox ESR.

Fixed

Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)
Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)
Title bar no longer shows in full screen view (Bug 1588747)

Changed

OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, October 29, 2019

Pale Moon Version 28.7.2 Released with Security Updates

Pale Moon has been updated to version 28.7.2. This is a security and bugfix update.

From the Release Notes:

Changes/fixes:

Disabled the use of ICC color profiles for images on Linux by default.
Updated timezone data for internationalization functions.
Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
Fixed an issue with inner window navigation potentially leaking.
Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
Ported some expat parser fixes from upstream.
Ported several NSS upstream fixes to our build.
Aligned handling of U+0000 in the html5 parser with expectations.
Added size checks to WebGL data buffering.
Fixed build issues with newer glibc versions.
Fixed build issues for ARM targets.
Worked around a gcc9 compiler issue that would prevent building with it.
Sec bug fixes: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don't have a CVE number.
Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Click About Pale Moon and Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, October 24, 2019

Windows 10 Version 1903 Cumulative Update Released

Microsoft released cumulative update KB 4522355 with non-security improvements and fixes for Windows 10 Version 1903 today. The update includes a long list of non-security quality improvements. There are currently no known issues with the update.

The highlights listed are as follows:

Updates an issue that prevents Microsoft Narrator from working in certain touch mode scenarios.
Updates an issue that starts assistive technology (AT) (such as Microsoft Narrator, Magnifier, or NVDA) after signing in when you've configured it to start before signing in.
Updates an issue that causes Magnifier to stop working in certain scenarios, and you have to restart it manually.
Updates an issue that causes Microsoft Narrator to stop working in the middle of a session in certain scenarios.
Updates an issue that might prevent a scroll bar from being selected.
Updates an issue that allows a device to go to Sleep (S3) even if you configure the device to never sleep.
Updates an issue that prevents you from shrinking a window in some cases.
Updates an issue that prevents you from connecting to a virtual private network (VPN).
Updates an issue that causes screen flickering or is slow to display the screen when you show application thumbnails on a monitor that has high dots per inch (DPI).
Updates an issue that causes the tile for the Photos app to appear larger than expected in the Start menu under certain conditions.
Updates an issue that causes the system to stop responding at the sign-in screen.
Updates an issue that might cause a black screen to appear the first time you sign in after installing a feature or quality update.
Updates an issue that causes the Start menu, the Cortana Search bar, Tray icons, or Microsoft Edge to stop responding in certain scenarios after installing a monthly update.

To download and install the update, go to Settings -> Update and Security -> Windows Update and select Check for updates. The standalone package for this update is available in the Microsoft Update Catalog. In addition, with Windows Update, the latest SSU (KB4525419) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, October 22, 2019

Mozilla Firefox Version 70.0 Released with Security Updates

Mozilla sent Firefox Version 70.0 to the release channel today. The update included thirteen (13) security updates of which one (1) is critical, three (3) are high, eight (8) moderate and one (1) are rated low.

With the release of Version 70.0, the Enhanced Tracking Protection added in Version 69.0 is on by default on all platforms. Information about the feature is available in the Mozilla blog post, Latest Firefox Brings Privacy Protections Front and Center Letting You Track the Trackers.

Also released was Firefox ESR Version 68.2.

Critical

# CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

High

Moderate

Low

# CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped

New

More privacy protections from Enhanced Tracking Protection:
- Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.
- The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.
More security protections from Firefox Lockwise, our digital identity and password management tool:
- Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers .
- Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
- Complex password generation, to help you create and save strong passwords for new online accounts.
Improvements to core engine components, for better browsing on more sites
- A faster Javascript Baseline Interpreter to handle the modern web’s
  large codebases and improve page load performance by as much as 8
  percent.
- WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
- Compositor improvements in Firefox for macOS that reduce power
  consumption, speed up page load by as much as 22 percent, and reduce
  resource use for video by up to 37 percent.
More browser features to help you get the most out of Firefox products and services
- A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
- A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
- When a website uses your geolocation, an indicator is shown in the
  address bar.

Changed

Built-in Firefox pages now follow the system dark mode preference
Aliased theme properties have been removed, which may affect some themes
Passwords can now be imported from Chrome on macOS in addition to existing support for Windows
Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, October 18, 2019

Adobe Acrobat DC and Reader DC Out-of-Band Update Released

Adobe has released an out-of-band update for Adobe Acrobat and Reader Adobe which contains stability and services load optimization fixes, updating the latest release to updated to version 2019.021.20048.

Release date: October 17, 2019
Vulnerability identifier: None
Platform: Windows and MacOS

The Release Notes for Adobe Acrobat and Reader have been updated with the following notice:

"Note : A follow up update (19.021.20048) is available which fixes critical issues in this update. Adobe recommends that you directly pick the next update - 19.021.20048."

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

PSIRT

Release Notes

Security Bulletin

System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, October 15, 2019

Oracle Java Critical Security Updates Released

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. This Critical Patch Update contains 20 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 13

Java SE 11

Java SE 8

Release Notes: https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html
Download: https://www.oracle.com/technetwork/java/javase/downloads/index.html#JDK8

Notes:

UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional. Preferably, see the instructions below on how to handle "Unwanted Extras".
Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature. Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
Verify your version: http://www.java.com/en/download/testjava.jsp. Note: The Java version verification page will only work if your browser has NPAPI support. In that case, to check the version, open a cmd window and enter the following (note the space following Java): java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

14 January 2020
14 April 2020
14 July 2020
20 October 2020

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java. In the event you need to continue using Java, How-to Geek discovered a little-known and unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates. Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

Launch the Windows Start menu
Click on Programs
Find the Java program listing
Click Configure Java to launch the Java Control Panel
Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1) In the Java Control Panel, at minimum, set the security to high.
2) Keep Java disabled until needed. Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3) Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Welcome to the Security Garden, where everything is coming up roses. The best way to protect your garden is to fence it in. The same applies to your computer. Get computer security news and information, help, tips and more at the Security Garden.

Articles

My Garden Roots

Perennial Favorites

Article Categories

Tuesday, December 31, 2019

Tuesday, December 10, 2019

Additional Update Notes:

References

Update:

Verify Installation

References

Update or Complete Download

References

Tuesday, December 03, 2019

New

Changed

References

Thursday, November 14, 2019

Performance

Export PDF

Services Integration

Combine

Accessiblity

Web Capture

Preflight

Update or Complete Download

References

Wednesday, November 13, 2019

Update:

Verify Installation

References

Tuesday, November 12, 2019

Additional Update Notes:

References

Monday, November 11, 2019

Monday, November 04, 2019

Thursday, October 31, 2019

Fixed

Changed

References

Tuesday, October 29, 2019

Thursday, October 24, 2019

Tuesday, October 22, 2019

Critical

High

Moderate

Low

New

Changed

References

Friday, October 18, 2019

References

Tuesday, October 15, 2019

Update

Download Information

Critical Patch Updates

Unwanted "Extras"

Java Security Recommendations

References

Subscribe | Follow

Garden Plantings

Tag Cloud

©2006 - 2024 "Security Garden" By Corrine

Miscellaneous

Welcome to the Security Garden, where everything is coming up roses.

The best way to protect your garden is to fence it in. The same applies to your computer.
Get computer security news and information, help, tips and more at the Security Garden.